Re: 2 NIC card

[Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>]

Hi,

Stefan Lundin wrote:
> You don't say what O/S you're using, but if it's Linux (probably works 
> for other o/s's too), you can specify the interface as "any" to listen 

Yes, but notice that in that case the kernel will copy all packets of
the specified packet type (in this case Ethernet) to the user space -
that means even from the loopback, which is not always the traffic you
want to see. This should definately not be used in high performance
setups. See man 7 packet for more information and proove it by the 
following command

snort -vd -i any ! port 139 and ! port 22 and host 127.0.0.1

then do a "ping localhost" on the other console...

Loopback is a very fast interface (approx. 200MB/sec (!)) and has a
big MTU (16436 by default on my system) so can really run into
problems here.

The other issue is that in that case sniffing in promiscuos mode is
not possible (the flag promisc=1 is being ignored by the socket), so
you have to set the promiscous mode on the interface by yourself, if
possible.

Best regards,

Edin

--
Edin Dizdarevic



-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users